Fix bug that didn't allow admin to see others' programs; add function…

…ality to see list of programs from a user through a link in the admin; is_admin helper method to clean up code.
TiBiBa · Feb 18, 2021 · 03d2dc7 · 03d2dc7
1 parent d2ded45
commit 03d2dc7
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 9 deletions.
diff --git a/app.py b/app.py
@@ -15,7 +15,7 @@
 from flask_commonmark import Commonmark
 from werkzeug.urls import url_encode
 from config import config
-from auth import auth_templates, current_user, requires_login
+from auth import auth_templates, current_user, requires_login, is_admin
 from utils import db_get, db_get_many, db_set, timems, type_check, object_check, db_del
 
 # app.py
@@ -165,9 +165,13 @@ def programs_page (request):
     if query_lang:
         query_lang = '?lang=' + query_lang
 
+    from_user = request.args.get('user') or None
+    if from_user and not is_admin (request):
+        return "unauthorized", 403
+
     texts=TRANSLATIONS.data [lang] ['Programs']
 
-    result = db_get_many ('programs', {'username': username}, True)
+    result = db_get_many ('programs', {'username': from_user or username}, True)
     programs = []
     now = timems ()
     for item in result:
@@ -183,7 +187,7 @@ def programs_page (request):
 
         programs.append ({'id': item ['id'], 'code': item ['code'], 'date': texts ['ago-1'] + ' ' + str (date) + ' ' + measure + ' ' + texts ['ago-2'], 'level': item ['level'], 'name': item ['name']})
 
-    return render_template('programs.html', lang=requested_lang(), menu=render_main_menu('programs'), texts=texts, auth=TRANSLATIONS.data [lang] ['Auth'], programs=programs, username=username, current_page='programs', query_lang=query_lang)
+    return render_template('programs.html', lang=requested_lang(), menu=render_main_menu('programs'), texts=texts, auth=TRANSLATIONS.data [lang] ['Auth'], programs=programs, username=username, current_page='programs', query_lang=query_lang, from_user=from_user)
 
 # @app.route('/post/', methods=['POST'])
 # for now we do not need a post but I am leaving it in for a potential future
@@ -204,8 +208,9 @@ def index(level, step):
         if not result:
             return 'No such program', 404
         # Allow both the owner of the program and the admin user to access the program
-        if current_user(request) != os.getenv ('ADMIN_USER') and result ['username'] != current_user(request) ['username']:
-            return 'No such program', 404
+        user = current_user (request)
+        if user ['username'] != result ['username'] and not is_admin (request):
+            return 'No such program!', 404
         loaded_program = result ['code']
         # We default to step 1 to provide a meaningful default assignment
         step = 1

diff --git a/auth.py b/auth.py
@@ -35,6 +35,10 @@ def current_user (request):
                 return user
     return {'username': '', 'email': ''}
 
+def is_admin (request):
+    user = current_user (request)
+    return user ['username'] == os.getenv ('ADMIN_USER') or user ['email'] == os.getenv ('ADMIN_USER')
+
 # The translations are imported here because current_user above is used by hedyweb.py and we need to avoid circular dependencies
 import hedyweb
 TRANSLATIONS = hedyweb.Translations ()
@@ -418,8 +422,7 @@ def auth_templates (page, lang, menu, request):
     if page in ['signup', 'login', 'recover', 'reset']:
         return render_template (page + '.html',  lang=lang, auth=TRANSLATIONS.data [lang] ['Auth'], menu=menu, username=current_user (request) ['username'], current_page='login')
     if page == 'admin':
-        user = current_user (request)
-        if user ['username'] != os.getenv ('ADMIN_USER') and user ['email'] != os.getenv ('ADMIN_USER'):
+        if not is_admin (request):
             return 'unauthorized', 403
 
         # After hitting 1k users, it'd be wise to add pagination.

diff --git a/templates/admin.html b/templates/admin.html
@@ -8,6 +8,7 @@ <h2>Users ({{ user_count }})</h2>
     <thead>
       <td>#</td>
       <td>Username</td>
+      <td>Programs</td>
       <td>Email</td>
       <td>Created</td>
       <td>Last login</td>
@@ -21,6 +22,7 @@ <h2>Users ({{ user_count }})</h2>
       <tr>
         <td>{{user.index}}</td>
         <td>{{user.username}}</td>
+        <td><a href="programs?user={{user.username}}">Programs</a></td>
         <td>{{user.email}}</td>
         <td>{{user.created}}</td>
         <td>{{user.last_login}}</td>

diff --git a/templates/programs.html b/templates/programs.html
@@ -2,7 +2,8 @@
 
 {% block body %}
 <div class="px-8">
-  <h2>{{texts.recent}}</h2>
+  {% if from_user %}<h2>{{from_user}}'s recent programs</h2>
+  {% else %}<h2>{{texts.recent}}</h2>{% endif %}
   <ul class="programs">
   {% for program in programs %}
     <li>
@@ -16,7 +17,7 @@ <h2>{{texts.recent}}</h2>
     </li>
     <br>
   {% endfor %}
-  {% if programs|length == 0 %}
+  {% if programs|length == 0 and not from_user %}
   <p>{{texts.no_programs}}
     <br><br>
     <button class="btn block flex-none self-end" onclick="window.open ('/hedy', '_self')">{{texts.write_first}}</button>